Skip to main content

Check Your Template, And Look For Unfamiliar JavaScript Code, Following Odd Blog Behaviour

Recently, we've been seeing some odd problem reports in Blogger Help Forum: Something Is Broken, suggesting deviously hijacked blogs.
My blog is requesting me to login, using a user name and password, when I view it.
Given the URL of the window requesting the login, it's a simple matter for us to use the right forensic Internet software, and to locate a relevant snippet of code, frequently installed as part of the blog template.

Sometimes, when we reply to the blog owner with advice to remove a bit of dodgy code, we get a response suggesting disbelief. Our advice
Use the Template Editor, and remove the highlighted code snippet.
may receive a confused or skeptical response.
Where did that bit of code come from? I never installed that!
How did the code in question get installed? Discussion of one possible scenario may require thinking outside the box. Not every unrecognised blog change is being caused by memory loss by the blog owner, after an intentional accessory install or template tweak.

Looking at the subject / theme of some blogs involved in recent problem reports, we're seeing a beginning of a trend, which may indicate a new - and very subtle - blog hijacking technique. We know that Blogger blogs are subjected to brute force password guessing attacks, and we know that Blogger / Google has to consider the possibility that a brute force attack detection is made after the attack was successful.

Current blog security, and defense against blog hijacks, involves detection of hijack attempts, by Google Security. It's possible that some blogs, with some owning Blogger accounts and passwords, are more vulnerable to sophisticated password guess hacking.

When you login to Blogger or Google, you hopefully know the right account name and password, and are generally able to get logged in - after maybe one or two mistakes. You learn, soon enough, that if you have to guess your account name or current password - and you require more than a couple tries - you may have to solve yet another CAPTCHA, or request account unlock, to continue.

The ever unpopular CAPTCHA / locked account comes from Google, detecting a possible brute force attack in progress, and protecting your account and your blogs. A Blogger blog, with its content providing enough clues, combined with a simple account password that is easily guessed, may allow an experienced hacker to login to your account in one or two tries, without being detected by Google attack monitors.

It's alternately possible that some attacks are being conducted by very patient hackers, who are able to use days, and / or thousands of different computers, to conduct a throttled brute force password attack. Again, just attack without providing a detectable pattern.

This may help to explain the mysterious spam blog setups, of last year.

A hacker, able to login to a Blogger account without being detected, could install small changes in a blog template without ever being discovered. The blog owner would never discover subtle template changes, made by an easily satisfied hacker.

Finally, install latent code that does not activate immediately, as we observed during Winter 2009 / 2010, so no blogs show symptoms until the hack is installed on thousands of blogs. If one or two blog owners discover the odd code in their blogs, who would ever suspect their blog being part of a massive cloud of victims?

If you report odd behaviour by your blog, you write to Blogger Help requesting advice, and you are advised to remove a bit of dodgy code from the template - and you do not remember having installed the noted dodgy code - you may want to review your Blogger / Google password, and make the password harder to guess. Better still, start using 2-step verification for logging in to your Blogger / Google account.

>> Top


Popular posts from this blog

Stats Components Are Significant, In Their Own Context

One popular Stats related accessory, which displays pageview information to the public, is the "Popular Posts" gadget.

Popular Posts identifies from 1 to 10 of the most popular posts in the blog, by comparing Stats pageview counts. Optional parts of the display of each post are a snippet of text, and an ever popular thumbnail photo.

Like many Stats features, blog owners have found imaginative uses for "Popular Posts" - and overlook the limitations of the gadget. Both the dynamic nature of Stats, and the timing of the various pageview count recalculations, create confusion, when Popular Posts is examined.

Free Domain Registration By "UNONIC" Is Fraudulent

Blogger blog owners, like everybody else, like to save money.

Some blog owners prefer to save money when registering a custom domain, for their blogs. We've seen several free domain registration services, providing what is claimed to be a two level Top Level Domain "co.xx" (where "xx" == various country codes).

The latest in this ongoing story appears to be "" - and 13 other "top level domains".There is also an additional free service offering third-level .tf domains, under the name United Names Organisation. They occupy 14 second-level domains, including,,, and They are run by the same company as, and are given away as URL redirections.